Compliance: GDPR and Payment Data
Payment data is personal data, so it falls under data-protection law as well as PCI security rules. Handling it correctly keeps you on the right side of both.
This article explains where GDPR and payments intersect. It is general guidance, not legal advice.
What Counts as Payment Data
Names, billing addresses, transaction histories and the tokens linked to a person are all personal data. Even without raw card numbers, you hold information the law protects.
Your Obligations
- Collect only the payment data you genuinely need.
- Keep it secure and limit who can access it.
- Honour customer requests to access or erase their data.
- Use providers under proper data-processing agreements.
Where Providers Help
Reputable payment providers act as processors and offer the agreements and controls you need. We make sure those agreements are in place and that your own systems hold no more data than necessary.
Frequently Asked Questions
Can I erase a customer who asks, if they have invoices?
You can usually anonymise personal details while retaining the financial records you are legally required to keep.
If you need a hand with any of this, your Progressive Robot delivery team is ready to help. Raise a ticket from the Support area of your client portal or speak to your account manager and we will guide you through the next steps.